The advance of network technology and the availability of open source tools such as Masscan, ZMap, UnicornScan, etc. make Internet-wide mass scanning relatively easy to implement. In addition, different organizations routinely scan the Internet for various purposes. These lead to an overwhelming amount of unsolicited, omnidirectional network traffic on the Internet, effectively forming a “background noise” of the Internet traffic.
The background noise creates a large amount of false alarms to network security analysts, who often waste many hours reviewing the false alarms. Due to the natural of the omnidirectional mass scanning, alarms stemmed from the background noise are much less significant than, for example, those stemmed from targeted scans aiming specifically to a particular organization. However, current systems are unable to reliably differentiate between targeted and omnidirectional network traffic.